Can i prioritize the cipher suites in the ssl profile. For example if I have the following 4 cipher suites, how do I arrange them based on priority. I want them in following order where 1 is the highest priority and 4 is the lowest? 1 - RSA_WITH_RC4_128_SHA 2 - RSA_WITH_AES_256_CBC_SHA 3 - RSA_WITH_AES_128_CBC_SHA 4 - RSA_WITH_3DES_EDE_CBC_SHA

Yes you can. Just add them from left to right, just like you've done. You can find the "short names" here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html /Patrik

A tip is to set up a virtual server for testing and test with Qualys SSL labs. Then you can see the browser compatibility. /Patrik

The last one should be DES-CBC3-SHA. "!" means that you DON'T want the cipher in the list and you separate each cipher with a ":". Here's a ok, if a bit outdated article about cipher strings: https://devcentral.f5.com/articles/ssl-profiles-part-4-cipher-suites /Patrik

Hi Guys, Is there a way to prioritize the Ciphers that support Forward Secrecy over other ciphers....

How to prioritize cipher suites on F5

22 Replies

Patrik_Jonsson
MVP
Oct 21, 2015
Yes you can. Just add them from left to right, just like you've done. You can find the "short names" here:

https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html

/Patrik
Patrik_Jonsson
MVP
Oct 21, 2015
A tip is to set up a virtual server for testing and test with Qualys SSL labs. Then you can see the browser compatibility.

/Patrik
Patrik_Jonsson
MVP
Oct 22, 2015
The last one should be DES-CBC3-SHA.

"!" means that you DON'T want the cipher in the list and you separate each cipher with a ":".

Here's a ok, if a bit outdated article about cipher strings:

https://devcentral.f5.com/articles/ssl-profiles-part-4-cipher-suites

/Patrik
Techgeeeg
Nimbostratus
Nov 03, 2015
Hi Guys,

Is there a way to prioritize the Ciphers that support Forward Secrecy over other ciphers....
- nathe
  Cirrocumulus
  Nov 03, 2015
  if you append @STRENGTH to the end of the cipher string i think that will prioritise PFS ciphers from the BIG-IP. Someone may correct me on this....
Techgeeeg_28888
Nimbostratus
Nov 03, 2015
Hi Guys,

Is there a way to prioritize the Ciphers that support Forward Secrecy over other ciphers....
- nathe
  Cirrocumulus
  Nov 03, 2015
  if you append @STRENGTH to the end of the cipher string i think that will prioritise PFS ciphers from the BIG-IP. Someone may correct me on this....
Techgeeeg
Nimbostratus
Nov 03, 2015
Actually I already did that but it puts the ciphers in the order of no. of bits like first it will put all 256 then 192 then 128 n so on.... but not in the order of PFS

Brad_Parker

Cirrus

Nov 03, 2015

'RSA+RC4-SHA:AES256-SHA:AES128-SHA:RSA+3DES'

will order the ciphers as requested.

tmm --clientciphers 'RSA+RC4-SHA:AES256-SHA:AES128-SHA:RSA+3DES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0:     5  RC4-SHA                          128  SSL3    Native  RC4       SHA     RSA
 1:     5  RC4-SHA                          128  TLS1    Native  RC4       SHA     RSA
 2:     5  RC4-SHA                          128  TLS1.1  Native  RC4       SHA     RSA
 3:     5  RC4-SHA                          128  TLS1.2  Native  RC4       SHA     RSA
 4:    53  AES256-SHA                       256  SSL3    Native  AES       SHA     RSA
 5:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA
 6:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA
 7:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
 8:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
 9:    47  AES128-SHA                       128  SSL3    Native  AES       SHA     RSA
10:    47  AES128-SHA                       128  TLS1    Native  AES       SHA     RSA
11:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA
12:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
13:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA
14:    10  DES-CBC3-SHA                     168  SSL3    Native  DES       SHA     RSA
15:    10  DES-CBC3-SHA                     168  TLS1    Native  DES       SHA     RSA
16:    10  DES-CBC3-SHA                     168  TLS1.1  Native  DES       SHA     RSA
17:    10  DES-CBC3-SHA                     168  TLS1.2  Native  DES       SHA     RSA
18:    10  DES-CBC3-SHA                     168  DTLS1   Native  DES       SHA     RSA

PFS would be prioritized by specifying cipher suites that are PFS first. @STRENGTH really isn't valid any more as it just orders based on bits, not cipher suite. @SPEED is similar as it orders it by smallest bit to largest. i.e.

'!EXPORT:!SSLv3:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES'

tmm --clientciphers '!EXPORT:!SSLv3:ECDHE+AES-GCM:ECDHE+AES:ECDHE+3DES:ECDHE+RSA:RSA+AES-GCM:RSA+AES:RSA+3DES'
       ID  SUITE                            BITS PROT    METHOD  CIPHER    MAC     KEYX
 0: 49200  ECDHE-RSA-AES256-GCM-SHA384      256  TLS1.2  Native  AES-GCM   SHA384  ECDHE_RSA
 1: 49199  ECDHE-RSA-AES128-GCM-SHA256      128  TLS1.2  Native  AES-GCM   SHA256  ECDHE_RSA
 2: 49192  ECDHE-RSA-AES256-SHA384          256  TLS1.2  Native  AES       SHA384  ECDHE_RSA
 3: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1    Native  AES       SHA     ECDHE_RSA
 4: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.1  Native  AES       SHA     ECDHE_RSA
 5: 49172  ECDHE-RSA-AES256-CBC-SHA         256  TLS1.2  Native  AES       SHA     ECDHE_RSA
 6: 49191  ECDHE-RSA-AES128-SHA256          128  TLS1.2  Native  AES       SHA256  ECDHE_RSA
 7: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1    Native  AES       SHA     ECDHE_RSA
 8: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.1  Native  AES       SHA     ECDHE_RSA
 9: 49171  ECDHE-RSA-AES128-CBC-SHA         128  TLS1.2  Native  AES       SHA     ECDHE_RSA
10: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1    Native  DES       SHA     ECDHE_RSA
11: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.1  Native  DES       SHA     ECDHE_RSA
12: 49170  ECDHE-RSA-DES-CBC3-SHA           168  TLS1.2  Native  DES       SHA     ECDHE_RSA
13:   157  AES256-GCM-SHA384                256  TLS1.2  Native  AES-GCM   SHA384  RSA
14:   156  AES128-GCM-SHA256                128  TLS1.2  Native  AES-GCM   SHA256  RSA
15:    61  AES256-SHA256                    256  TLS1.2  Native  AES       SHA256  RSA
16:    53  AES256-SHA                       256  TLS1    Native  AES       SHA     RSA
17:    53  AES256-SHA                       256  TLS1.1  Native  AES       SHA     RSA
18:    53  AES256-SHA                       256  TLS1.2  Native  AES       SHA     RSA
19:    53  AES256-SHA                       256  DTLS1   Native  AES       SHA     RSA
20:    60  AES128-SHA256                    128  TLS1.2  Native  AES       SHA256  RSA
21:    47  AES128-SHA                       128  TLS1    Native  AES       SHA     RSA
22:    47  AES128-SHA                       128  TLS1.1  Native  AES       SHA     RSA
23:    47  AES128-SHA                       128  TLS1.2  Native  AES       SHA     RSA
24:    47  AES128-SHA                       128  DTLS1   Native  AES       SHA     RSA
25:    10  DES-CBC3-SHA                     168  TLS1    Native  DES       SHA     RSA
26:    10  DES-CBC3-SHA                     168  TLS1.1  Native  DES       SHA     RSA
27:    10  DES-CBC3-SHA                     168  TLS1.2  Native  DES       SHA     RSA
28:    10  DES-CBC3-SHA                     168  DTLS1   Native  DES       SHA     RSA

Techgeeeg_28888
Nimbostratus
Nov 04, 2015
Hi Brad,

Thanks for the reply..... so what I believe is that by PFS Preference the ciphers can't be set on F5.
- Brad_Parker
  Cirrus
  Nov 04, 2015
  What do you mean by that? The order show above is the preference order with the F5 preferring The ciphers listed first.
Techgeeeg
Nimbostratus
Nov 04, 2015
Hi Brad,

Thanks for the reply..... so what I believe is that by PFS Preference the ciphers can't be set on F5.
- Brad_Parker
  Cirrus
  Nov 04, 2015
  What do you mean by that? The order show above is the preference order with the F5 preferring The ciphers listed first.

Forum Discussion

How to prioritize cipher suites on F5

22 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

can you help with getting a BigIP virtual edition serial key

VIP in https that redirect to another vip in https

In Using the AST tool am I pointing it to TENANTS or to the F5OS(hardware) I have?

2026 is Almost Here

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Related Content

Cipher Suite Practices and Pitfalls

Breaking Down the Quantum Challenge: TLS Cipher Suite Vulnerabilities and FIPS Post-Quantum Standards Explained

Disabling Specific Weak Cipher Suites

Cipher Suites Supported (12.1.5.3)

SSL Profiles Part 4: Cipher Suites

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS